Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise.
If this question can be reworded to fit the rules in the help center, please edit the question.

10 Answers
10

I wouldn't worry about it too much. I'd rather focus on putting out an awesome product, getting a good user base, and treating your customers right than worry about the minimal percentage of users concerned with stealing your code or looking at the source.

Except if the software contains sensitive data that should be protected (such as PRIVATE KEYS and PASSWORDS)
–
marcolopesMar 9 '14 at 17:08

1

@marcolopes: private keys should never be delivered with the application... you probably meant public keys... and the passwords should be hashed, not clear text anyway...
–
Igor PopovDec 30 '14 at 10:22

What other solution do you have to store PRIVATE KEYS? Server access? And if there is no Internet connection?
–
marcolopesJan 3 at 3:17

Remember, obfuscation is not encryption. IMHO, if somebody perceives value in reverse-engineering your code, they will do it. That's true for managed code or native code, obfuscated or not. Sure, obfuscation deters the casual observer, but is your business actually threatened by such people? Every .NET obfuscation method I've seen makes your life as a developer harder.

We currently obfuscate all our output, even though we are a small outfit who sells specialist software to a small number of clients.

We made this decision for one simple reason - we discovered a disgruntled ex-employee was actively approaching our clients requesting binaries - there was some some concern he was intending to reverse engineer newer features in order to offer competing functionality.

Of course he is still able to do this if he uses the software, but there is no reason to make it easy for him.

For instance every time you use an anonymous type you get IL that compiles back with a pretty obscure name. Every time you use yield you get a whole new class that implements both IEnumerable and IEnumerator (clever optimisation, unreadable code). Every time you use an anonymous delegate you get a new method with a name that's invalid in every .Net language that I know of, but that's fine in the IL.

Having had some discussions with my
manager at work, he said he doesn't
obfuscate, but does NGEN on install,
apparantly that should be enough to
stop Reflector working on your
assemblies, but I have no idea if this
is true and to what extent, so please
don't take it as gospel :)

This doesn't offer any kind of protection against disassembly. First I imagine its quite possible to extract raw files from any installation package like an MSI or a CAB file.

But more importantly, Ngen runs on the client machine after the assembly has been installed. Ngen just forces the assembly to compile now instead of later using the JIT. The original assembly remains and is unmodified and it must remain because Ngen might not be able to compile the entire assembly.

Ngen is for performance, not security, and does nothing to prevent disassembly or make it even slightly more difficult.

Good question though as its something I am keen to know more about (I currently do not obfuscate).

Having had some discussions with my manager at work, he said he doesn't obfuscate, but does NGEN on install, apparantly that should be enough to stop Reflector working on your assemblies, but I have no idea if this is true and to what extent, so please don't take it as gospel :)

We don't use obfuscation for "non public" applications but we use it for public available applications. The obfuscated app contains plenty of highly sophisticated code which took us an exorbitant amount of time to write and that's the reason that let me think that obfuscation is a must - at least in that case.

Obsfucation is limited in it's effectiveness, it might keep the casual guy away. The most effective obsfucation is making only the smallest amount of code available to the user. If you can, make your app run depend heavily on a fat server.